Incident Response Expert - IV -IRE04

About the Mission
110
STI provides critical, advanced technical support to the DHS Hunt and Incident Response Team (HIRT). We act as the front-line defense for Government agencies and critical infrastructure owners, executing rapid, on/offsite incident response and proactive hunting to evict adversaries. We secure the nation's infrastructure using sophisticated host- and network-based analysis to identify compromises, characterize breach severity, and develop targeted mitigation plans.

Position Summary

As a Cyber Eviction Analyst (SME), you will serve as a technical expert on high-level incident response teams, tackling exceptionally complex cyber security challenges. You will apply in-depth knowledge of threat actor (TA) tools, techniques, and procedures (TTPs) to proactively hunt, contain, and eradicate malicious activity. This role requires an investigative mindset, significant autonomy in determining technical objectives, and the ability to turn complex forensic findings into actionable, high-impact intelligence for stakeholders. 

Key Responsibilities

• Proactive Hunting & Response: Act as a Hunt/IR SME, conducting proactive threat hunting and rapid incident response to detect and evict adversaries from network environments.
• Technical Analysis: Analyze host- and network-based data, forensic artifacts, and malware to characterize breach severity and determine root causes.
• Evidence-Based Reporting: Distill complex analytical findings into executive summaries and detailed technical reports for high-level stakeholders.
• Containment & Eradication: Support internal stakeholders and customers on containment, mitigation, and eradication missions.
• Strategic Advising: Advise technical personnel on countermeasure implementation, security tool customization, and architecture enhancements.
• Knowledge Management: Document investigation findings in a standardized knowledgebase to improve branch processes and procedures.
• Technical Leadership: Guide the completion of complex hunt activities with only broad direction, exercising considerable latitude to determine technical approaches. 

• Citizenship: U.S. Citizenship (Mandatory).
• Clearance: Active TS/SCI Clearance (Mandatory).
• Suitability: Ability to obtain DHS Suitability.
• Experience: 8+ years of directly relevant experience in cyber incident response, threat hunting, or forensic analysis.
• Technical Skills: Strong understanding of network architecture, Windows/Linux operating systems, and adversarial TTPs (MITRE ATT&CK Framework).
• Communication: Exceptional written and oral communication skills for briefing both technical and executive audiences.
• Travel: Ability to travel domestically on short notice to support on-site incident response. 

• Relevant certifications: GCIH, GCIA, GNFA, or similar.
• Experience with forensic analysis tools (e.g., EnCase, FTK) and EDR platforms.
• Experience leading or mentoring technical teams during high-stakes incidents.

Additional Qualifications: 

• Ability to think independently
• Demonstrates superior written and oral communication skills
• Must be able to work collaboratively across physical locations
• Skilled in identifying different classes of attacks and attack stages
• Understanding of system and application security threats and vulnerabilities
• Understanding of proactive analysis of systems and networks, to include creating trust levels of critical resources
• Proficiency with common operating systems (e,g, Linux/Unix, Windows)

Desired Skills:

• Experience leading and mentoring technical teams
• Knowledge of Computer Network Defense policies, procedures and regulations
• Knowledge of different operational threat environments (e.g., first generation [script kiddies], second generation [non nation-state sponsored], and third generation [nation-state sponsored])
• Knowledge of system and application security threats and vulnerabilities (e.g., buffer overflow, mobile code, cross-site scripting, PL/SQL and injections, race conditions, covert channel, replay, return- oriented attacks, and malicious code)
• Network and System administration experience
• Strong understanding of adversarial tactics/techniques/procedures (TTPs)
• Experience with Identity and Access Management (IAM) tools
• Ability to review and analyze Enterprise Architecture (EA) from a security perspective
• Understanding of cyber defense-in-depth principles
• Hands-on skill in host/network intrusion detection
• Ability to perform event correlation
• Experience with malicious activity analysis
• Ability to collaborate with stakeholders at multiple levels within an organization

Required Education:
BS Computer Science, Cyber Security, Computer Engineering, or related degree; or HS Diploma & 10+ years of technical experience in the area of expertise.

Desired Certifications: One or more

• DoD 8140.01 IAT Level II, IASAE II, CSSP Analyst
• DoD 8140.01 GCIA, GCIH, CSSP Analyst/CSSP Incident Responder
• DoD 8140.01 CEH, CSSP Analyst
• SANS GIAC GNFA preferred
• SANS GRID, GICSP, or GCIP a plus